When migrating CA-less master to a full CA with externally signed CA cert, the first step of the installation works as expected:
# ipa-ca-install --external-ca Directory Manager (existing master) password: Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes 30 seconds [1/8]: creating certificate server user [2/8]: configuring certificate server instance The next step is to get /root/ipa.csr signed by your CA and re-run /sbin/ipa-ca-install as: /sbin/ipa-ca-install --external-cert-file=/path/to/signed_certificate --external-cert-file=/path/to/external_ca_certificate
The second step, however, fails with a wrong error message:
# ipa-ca-install --external-cert-file /root/ca.crt --external-cert /root/ipa.crt Directory Manager (existing master) password: CA is already installed on this host.
The problem is in the following check in ipaserver/install/ca.py on line 48, which does not take into account the usage external cert files:
if standalone: if cainstance.is_ca_installed_locally(): sys.exit("CA is already installed on this host.") elif api.Command.ca_is_enabled()['result']: sys.exit( "One or more CA masters are already present in IPA realm " "'%s'.\nIf you wish to replicate CA to this host, please " "re-run 'ipa-ca-install'\nwith a replica file generated on " "an existing CA master as argument." % realm_name )
This was tested on IPA server built from 4-2 branch. Other branches should not be affected.
Steps to reproduce:
1.) Install CA-less master
2.) run {{{ipa-ca-install --external-ca}}}
3.) get the generated request and sign it with an external CA
4.) run second step of CA install:
ipa-ca-install --external-cert-file /path/to/IPA/cert --external-cert-file /path/to/external/CA/cert
Expected result:
CA installation proceeds as usual
Actual result:
CA installation in step 4. fails with:
{{{CA is already installed on this host.}}}
Linked to Bugzilla bug: https://bugzilla.redhat.com/show_bug.cgi?id=1301687 (Red Hat Enterprise Linux 7)
master:
ipa-4-3:
ipa-4-2:
Metadata Update from @mbabinsk: - Issue assigned to mbabinsk - Issue set to the milestone: FreeIPA 4.2.4
Login to comment on this ticket.